[News] Linux a Long Way Ahead of Windows in Role-based Access Control - Linux

This is a discussion on [News] Linux a Long Way Ahead of Windows in Role-based Access Control - Linux ; Go RBAC now
,----[ Quote ]
| Implement role-based access control for stronger security in your
| environment.
|
| [...]
|
| Linux has long had RBAC capabilities. Nearly any decent Linux distro will
| allow you to add ...

[News] Linux a Long Way Ahead of Windows in Role-based Access Control

Go RBAC now

,----[ Quote ]
| Implement role-based access control for stronger security in your
| environment.
|
| [...]
|
| Linux has long had RBAC capabilities. Nearly any decent Linux distro will
| allow you to add an RBAC security module. Many versions, such as SELinux
| (Security Enhanced Linux), come with RBAC by default. If you don't have
| SELinux, there's still a good chance your Linux supports RBAC already. Just
| look for the MAC module and read the man pages. There are also many
| developing RBAC initiatives, such as the OASIS XML-based RBAC effort for
| Web-based content (PDF).
`----

,----[ Quote ]
| 1985, huh? And when did this Microsoft patent happen? It was filed in
| 2000. Well gee, that doesn't make sense. How'd they get the patent?
| It certainly falls under the category of "obvious" if there's prior
| art such as sudo.
|
| What makes this whole thing funny, though, is something I saw a couple
| days ago. Head over to Builder-AU and listen to Peter Watson from
| Microsoft. He says,
|
| Â* "User Account Control is a great idea and strategically
| Â* a direction that sort of all operating systems and all technology
| Â* should be heading down"
|
| Excuse me? Does he really believe this is all Microsoft's great new
| idea?
|
| In the end, this seems like a patent that Microsoft will hold up and
| say "we have a patent and Linux is violating it!" They won't ever
| sue on it though (just leave the threat hanging to scare away
| potential users), because then they could have the patent revoked.
| It's better for them to just wave it around.
`----

,----[ Quote ]
| The most controversial aspect of Watson's comments all center around
| the idea that Microsoft is a leader with UAC, and that other OSes
| should follow suit. UAC is a cousin of myriad "superuser" process
| elevation strategies, which Mac OS X and all flavors of Linux
| already enjoy. The fact is that Microsoft is late to the party
| with their Microsoftized version of sudo. That's really what UAC
| is, after all: sudo with a fancy display mechanism (to make it hard
| to spoof) and extra monitoring to pick up on "suspicious" behavior.
`----

,----[ Quote ]
| Like most veteran Windows users, I balked when I first encountered the User
| Account Control (UAC) mechanism in the latter BETAs of Vista. The constant
| interruption of nearly every system or maintenance related task was
| unbearable. Finally, after one particularly frustrating bout of "move the
| file/yes I really want to move the file/please let me move the file/sorry, do
| dice buddy," I did what many early Vista users did: I turned UAC off. Â* Â*
|
| Hint: For those of you who haven't figured it out yet, the option to disable
| UAC is buried under the User Accounts sub-section of the Control Panel.
|
| Ah, the bliss of no UAC! I could now do whatever I wanted, whenever I wanted!
| It was just like Windows XP, but with a cooler UI!
`----

,----[ Quote ]
| So, when I was researching the way to determine the shadow storage
| size on Windows Vista for my February 23rd entry, I wasn't too surprised
| when I got an error message about needing to elevate my privilege after
| I tried to run vssadmin from a standard command shell. What a Linux
| system would have done right there would be to ask me for the
| administrator password.
`----

,----[ Quote ]
| The problem with Vistaâ€™s security implementation is that lots of warning
| dialog boxes don't provide security. Users get frustrated and eventually stop
| reading them altogether. They think of them as annoyances, an extra click
| required to get a feature to work. Is Windows Vista really more secure than
| the operating systems that preceded it, or simply more frustrating? Since
| Microsoft left us with no choice but to buy a PC with Vista pre-installed,
| weâ€™re inevitably stuck with it. Let the frustration begin. Â* Â* Â*
`----

,----[Quote ]
| "Oh, excuse me, is this supposed be a joke? We all remember all those
| Microsoft's statements about how serious Microsoft is about security in
| Vista and how all those new cool security features like UAC or Protected
| Mode IE will improve the world's security. And now we hear what?
`----

,----[ Quote ]
| At the end of the new Apple ad, the security guard finally asks the
| hapless PC: "You are coming to a sad realization. Cancel or allow?"
|
| Unfortunately, after conditioning the world to click "allow," all
| Microsoft will have accomplished is to pass the buck to the hapless
| PC user, trying to make the user responsible for anything bad that
| happens because they ultimately chose to allow it.
|
| While that may allow Microsoft?s security engineers to sleep at night,
| the rest of us won't rest as easy until Vista's holes are plugged
| with something more substantial than a dialog box.
`----

,----[ Quote ]
| A key security feature of Windows Vista, User Account Control (UAC) is
| still nearly unusable, Symantec has said.
|
| At a press presentation last week, Symantec vice president of
| engineering Rowan Trollope said Symantec's customers had found the
| feature so "chatty", that it was a burden on users, potentially
| creating new help-desk calls.
`----

,----[ Quote ]
| The Windows Vista features that will most benefit end users are
| likely to cause a flood of calls to enterprise IT help desks, it
| was claimed today.
|
| SupportSoft predicted that one of the main areas in which
| end-users are likely to experience problems will be dealing
| with Vista's security features.
`----

,----[ Quote ]
| Another bug that got past the extensive RTM testing process? Nope.
| It's a bug that came into existence during the finalization process.
| This bug wasn't there in RC2, but it's most definitely there now. All
| we can say is, hopefully this gets patched before SP6.
`----

,----[ Quote ]
| This will make every admin operation prompt you for credentials
| while it is great if you do a lot of remote operations it can
| become tedious if you are performing a lot of local admin operations.
`----

,----[ Quote ]
| I've been fairly critical of the new User Access Control (UAC) in
| Windows Vista, as I feel it is too secure to be usable, which will
| probably result in many users and corporations turning off and
| losing out on what could have been Vista?s best feature.
|
| [...]
|
| He recommends turning UAC back on after fixing the problem, but
| when users need to do this more than a couple of times to get a
| usable system, they will just leave it turned off.
`----

,----[ Quote ]
| One of Vista's big security features is 'User Account Protection'
| (or 'User Account Control') which pops up and asks for user
| authentication before software can make any administrative changes to
| the system. But the TweakVista utility can turn off UAP in one click...
`----

,----[ Quote ]
| Has the time finally come for the least-privilege user -- you know,
| setting your Windows client machines to run without system
| administrator rights?
|
| [...]
|
| Today, some Windows applications just won't run properly on a
| desktop without administrative rights. "It's a dirty little
| secret people sweep under the rug because they're not able to
| do much about the problem. A lot of applications and pieces
| of environments won't work if users aren't given admin rights,"
| says Steve Kleynhans, vice president for Gartner's client
| platforms group. "If you can get applications to function
| with lower rights, in a lot of cases it hampers the user
| experience."
`----

,----[ Quote ]
| In the interest of full disclosure I should make it clear that in a
| previous life time I was responsible for all of Microsoft's OS
| strategy for games and media, from writing the original DirectX
| development plan, to managing Microsoft?s relationships with the
| industries leading game developers. 10 years after launching DirectX
| 1.0, I still have strong opinions and feelings about how to make
| Windows a great game platform, and probably feel a stronger sense
| of pique than most when I see Microsoft making careless or callous
| mistakes that impact game developers.
`----